Award-winning news, views, and insight from the ESET security community

What would a credit card breach cost your company?

We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40

We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40

Small businesses increasingly conduct payment card transactions online, a trend that will grow in the coming year. Also, many small businesses don’t have access to skilled staff that they can dedicate to securing a payment system, a fact that hasn’t escaped the scammers’ attention. As attacks on larger organizations are met with sophisticated defenses it makes sense to target smaller organizations that lack the budget for a dedicated security specialist, or specialized security equipment to guard against a breach. However, being unable to afford skilled security staff or specialized equipment does not mean SMBs can afford the expense of a breach. So what would a breach cost? One company asked Tracy Reed of Copilotco to answer that question for them. While some of Reed's data points are in 2009 dollars, his calculations paint a sobering picture of just how much a breach might cost.

“According to Gartner the average loss to the customer is $939 per credit card," says Reed, "So if your company has transacted roughly 65,000 cards, half of which would theoretically still be current and valid at the time of a breach, the reimbursement costs of the fraudulent charges to the cards alone could be $15,258,750.” And this assumes only half of the current cards are abused. Reed adds, “The card companies further charge to replace compromised credit cards." Costs to a merchant can be as much as $50 per card. The banks themselves have a card replacement cost that ranges from $2 to $5 per card. Reed put the merchant cost in this scenario at $812,500.

After the notifications, charge-offs, and card replacement comes a security audit. About this Reed says, “The card companies will require a forensic audit of the systems to determine how the compromise happened. According to Security Metrics, the cost of a forensic audit starts at $50,000.” Rounding out the audit costs, he continues, “After an intrusion a company is then classified as a Level 1 merchant and is subject to the strongest security and audit procedures. This means an annual on-site audit which will typically cost $100,000.” And then there are the fines. Reed says, “Major payment brands can impose fines as a result of the data exposure. Fines can be as high as $500,000. Non-compliance is a major determining point whether fines will be imposed.”

All told, that’s a bill of $16,471,250. Let’s say he’s only half right, the cost of the breach would “only” be the cost of a nicely equipped mid-size business jet and all the entertainment for your staff after you fly them to Cancun in style. You could probably pay for the ride home too, along with all the umbrella drinks for the week. And we haven’t even talked about the brand damage. This should be a serious concern for any business. Reputational damage was ranked above all other concerns related to cybercrime in the latest PwC global economic crime survey (so any junkets on the corporate jet would need to be postpioned until your firm's reputation was restored).

Awhile back I read that Sony’s data breach costs topped $171 million and were still rising. Let’s just say a credit card breach would cost your company dearly. So, what would it cost you to protect your systems? You can probably make some major security improvements with a few extra developer hours and maybe some System Administrator time. That suddenly seems very cheap relative to the risk exposure, and your customers would likely agree. Taking some basic precautions would make everyone happier, and a lot less stressed in the new year, though you still may have to spring for staff bonuses to get everyone to Cancun. But you can make them pay for the drinks.